From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Eric Marsden Newsgroups: gmane.emacs.devel Subject: Re: ALPN support for GnuTLS connections Date: Tue, 15 Oct 2024 09:33:22 +0200 Message-ID: <2aa6b215-5e12-4641-9d4c-daf6a5d77817@risk-engineering.org> References: <7f11f60c-37da-4123-ae5b-98c79a132bb1@risk-engineering.org> <87zfnp1oqa.fsf@gmail.com> <3b0509fe-5a30-4e2a-a9fa-c196d79c81d4@risk-engineering.org> <87ttdx1dzy.fsf@gmail.com> <874j5o1fwe.fsf@gmail.com> <877cagukpe.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="6850"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Mozilla Thunderbird Cc: emacs-devel@gnu.org To: rms@gnu.org Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Tue Oct 15 09:35:53 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1t0c5x-0001cN-39 for ged-emacs-devel@m.gmane-mx.org; Tue, 15 Oct 2024 09:35:53 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t0c5M-0001VU-Da; Tue, 15 Oct 2024 03:35:16 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t0c3c-0008Kd-LI for emacs-devel@gnu.org; Tue, 15 Oct 2024 03:33:29 -0400 Original-Received: from mail.risk-engineering.org ([2a01:4f8:c0c:a3f8::1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1t0c3a-0004v1-Jj for emacs-devel@gnu.org; Tue, 15 Oct 2024 03:33:28 -0400 DKIM-Signature: a=rsa-sha256; bh=H6HjTBt3T/B3WZLEnAlcjHzY5maGY8WCnC7OY4Cg/dM=; c=relaxed/relaxed; d=risk-engineering.org; h=Subject:Subject:Sender:To:To:Cc:Cc:From:From:Date:Date:MIME-Version:MIME-Version:Content-Type:Content-Type:Content-Transfer-Encoding:Content-Transfer-Encoding:Reply-To:In-Reply-To:In-Reply-To:Message-Id:Message-Id:References:References:Autocrypt:Openpgp; i=@risk-engineering.org; s=default; t=1728977616; v=1; x=1729409616; b=hhZH+NcAvY3tgKXcy0CEjmY5mY+6f0JIjMf7QHohjbmvpSXUs7YyZFD2/2zYPDvZE3CliOd3 nbKANyfEXD1Dff9T7mZLATtYixBMyvseFU9vxBE1UIkKOmaVRSg0p+mShKTlPKnoCkpgWCl53ZL tWBZc6VMDZfdOnCcTu1pdeRNXV/AHliQaSn8mYoNW3ToBLspuYAQOBtW4V8MqNkzB+AHNlt4m+Z nqzDYklO2y6cyddHsR+xttQZoH/PhcU0I9EaJdO7UfJOAE04EK3d0CYtPW+cAS7Tk+Lvcty3FXN 5adYCX70Lck3nm5mfZksMUDM2vaVJgDcQ5V4pp/90CoKw== Original-Received: by mail.risk-engineering.org (envelope-sender ) with ESMTPS id daf652fe; Tue, 15 Oct 2024 09:33:36 +0200 Content-Language: en-US In-Reply-To: Received-SPF: pass client-ip=2a01:4f8:c0c:a3f8::1; envelope-from=eric.marsden@risk-engineering.org; helo=mail.risk-engineering.org X-Spam_score_int: -16 X-Spam_score: -1.7 X-Spam_bar: - X-Spam_report: (-1.7 / 5.0 requ) BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:324589 Archived-At: On 15/10/2024 05:02, Richard Stallman wrote: > Could you describe some specific situations in which ALPN would be > useful in Emacs? What Wikipedia says about ALPN is very abstract -- > I'd like to get an idea of what concrete activities need ALPN > or would be improved by it. ALPN makes it possible to serve different application-level protocols (e.g. HTTP/1.1, HTTP/2, HTTP/3) from the same network endpoint, with the choice of application-level protocol made at the TLS protocol level. This means that the choice of application-level protocol is secure; it happens at the same protocol level as the checking of digital certificates. It also improves performance when establishing a network connection, because the negociation of application protocol is made during the initial handshake, without requiring multiple back and forth network messages. Alternative historic methods for selecting an application-level protocol include the STARTTLS “connection upgrade” mechanism used for SMTP and IMAP for example, and the “Upgrade” HTTP header used for protocol upgrade. These either have security problems (e.g. “STARTTLS stripping” to block connection upgrade) or performance problems. RFC 9325 “Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)” states that “TLS implementations (both client- and server-side) MUST support” ALPN. In the particular example that motivated my interest in ALPN for Emacs, version 17 of the PostgreSQL database includes a new ALPN-based “direct TLS” connection mode, as an alternative to its historical STARTTLS-like connection upgrade mechanism. For a service provider who makes it possible to access PostgreSQL over the internet, there are many benefits to the new ALPN-based mechanism, such as allowing the use of commercial “TLS gateways” (that do no application-level processing) as entrypoints to their network. I expect that over time, an increasing proportion of internet services will require ALPN. Eric